Carding Deep Dive: Inside Russian Carding Fraud Part 3
This is part three in our four-part series on credit card fraud, specifically focusing on the Russian carding landscape. In part one, we gave an overview of carding as an attack type and drilled into some key terms from the Carder’s Dictionary. In part two, we looked more closely at the motivations behind Russia being a hotbed of carding activity.
In part three, we’ll dive deeper into the tactics and techniques carding criminals are using to steal credit card details before they go on to make a profit from these ill-gotten accounts – all whilst avoiding arrest and prosecution.
Next week we’ll round out the series with part four and discuss some preventative measures against you or your business falling foul of the fraudsters.
You can also read our full report on Russian carding by clicking here.
Preparing an attack: Material acquisition
As we learned in the Carder’s Dictionary from part one in this series, carders refer to the tools and resources they need to carry out attacks as “material”. Material includes information such as stolen credit card numbers, personal information of cardholders, access to bank accounts, card verification codes, and even physical payment cards. It also includes tools like proxies needed to exploit this information.
How do carders acquire material?
As card details are sensitive and private, criminals must use illegal means to obtain them. This can include piggybacking off data leaks that are shared or sold on the dark web, or other types of fraud like phishing, vishing and account takeover. Carders also “skim” cards to clone the information they contain, either physically using devices installed on ATMs and point-of-sale devices, or virtually with Magecart malware injected into website payment portals.
Stolen cards for sale: Carding Marketplaces
Any card details acquired by criminals often ends up on carding marketplaces and forums for resale, as a quick way for those who obtained them to “cash out”. Marketplaces exist on both the clear and dark web and offer not just stolen card details but other services such as money laundering and document forgery.
Card details sell for anywhere from a few dollars each to several hundred dollars, depending on the quality and completeness of the information (with “Fullz” being most valuable). The price can also depend on the issuing bank, security features of the card, the country of origin and the amount of risk involved in obtaining the card details.
Due to the anonymous nature of the forums, scams against newcomers are commonplace. There is no guarantee that paying up front will result in getting what you were expecting, as the seller can easily disappear without a trace. Some forums have combated this by enforcing the use of escrow or guarantor services.
Enrollment to online banking
A powerful tactic used by carders is to use stolen card details and personal information to enroll the card in online banking, which gives the crook full control over the account. Once enrolled, the carder can freely change details and circumvent security checks such as AVS (Address Verification System) when using the card to make payments. Crucially they can redirect warning messages intended for the legitimate card owner when suspicious payments are attempted.
Enrollment is commonly sold as a service package, which includes access to a live operator who can impersonate the real card owner in phone calls to the bank in their native language.
Validating stolen credit cards
An important part of buying stolen credit cards is validating that they have not been blocked by the issuing bank. This is likely to happen if any whiff of fraud is detected, so any use of the card or attempt to validate them risks flagging the card as stolen. Carders often advertise the “valid rate” of batches of cards they sell based on how likely it is that a card will turn up invalidated and offer replacements in such cases.
Card checker services can be used to “soft check” the validity of cards without attempting a purchase. This reduces the risk of flagging anti-fraud systems or alerting the rightful owner to the activity and can also be used to guess missing details like CVV codes and expiry dates. These actions are often automated by bots.
Avoiding anti-fraud measures
“Vbiv” is a Russian carding term describing the process of entering stolen card details into a payment form. In doing this, carders must tread carefully to avoid triggering anti-fraud systems, emulating the behavior of a normal customer. They will create an account using the cardholder’s address and browse products, even engaging in live chats to evade suspicion. They will also avoid pasting card details on the payment form, instead typing them manually as most legitimate customers do.
Making a profit: Cashing out on carding
Carders are laser focused on making money, so cashing out on their stolen cards is of utmost importance. The most effective methods are a closely guarded secret within hidden communities, as over-saturating a cash-out method diminishes its effectiveness, however there are a few well-known strategies, including:
Selling card data
The least risky cashing out method is to simply sell the card data to another party. This requires knowledge of and the ability to obtain or validate large amounts of card data, depending on how much money the carder is demanding.
Online purchases
The most popular cashing out method. The carder can make a purchase at any eCommerce store, then resell the goods elsewhere. High liquidity goods that will shift fast, such as consumer electronics, are most popular. Carders often use intermediaries called “drops” to take delivery of the items and resell them for a fee.
Money transfer and payment services
Services such as PayPal, Skrill, Zelle, Qiwi and MoneyGram can be used to transfer money from stolen cards to the carder’s account. Fraudsters will either takeover legitimate accounts to make transactions from, or use stolen personal information within “fullz” to register a new account. Forged documents needed to open new accounts can be bought via carding marketplaces.
Creating merchant accounts
Carders can extract money from stolen cards by registering their own fake eCommerce webstore and making purchases from it. Such sites are typically set up in the name of a “drop” who transfers funds back to the carder. Such web stores never sell anything that needs to be physically delivered – software licenses and e-books are common.
Cryptocurrency
Its anonymous, cross-border nature makes cashing out by buying cryptocurrency ideal for card fraudsters. Carders prefer exchanges that don’t enforce KYC (know your customer) verification and will often mix different currencies across wallets to obscure their origin before converting back to cash. Alternatively, many Russian carders have plenty of uses for cryptocurrency on the dark web, where such payments are preferred.
Gift cards
Spending money at stores via gift cards is less risky than using stolen credit cards due to their anonymous nature. After purchasing the gift cards with compromised credit cards, the fraudster can either make purchases with the card or sell them on criminal marketplaces, often at less than 50% of their face value, although the resell rate depends on how widely accepted or in demand the gift card is.
Hotel and flight tickets
Experienced carders set up fake travel agencies offering heavily discounted holidays to the public. When a customer pays online, this money goes directly to the fraudster, who then uses stolen credit cards to make the corresponding booking with the airline and hotel using the personal details supplied by the real customer.
SIM cards
Loading up pay-as-you-go SIM cards with credit using stolen credit cards is one of the quicker ways to cash out. The SIM card balance can then be used to pay for anything that accepts mobile phone billing, for example online casinos. Carders could also set up a premium rate number for the purpose of draining the balance from each SIM card into other bank accounts.
Avoiding detection
Getting caught carding means serious jail time. Carders remain anonymous to avoid prosecution at all costs. Ironically, they are constantly battling anti-fraud systems to carry out attacks, which means they must present realistic identities to be successful.
Online, the most telling identifier is IP address. This is easily hidden using a VPN, although carders ensure they use a kill switch to drop their internet connection should the VPN fail to ensure their true IP address is never transmitted. Attackers can also use residential proxy services to hide their origin within trusted home networks and appear to be from the same locale as the legitimate card holder. Providers usually access these via botnets that take over devices with poor security such as outdated routers or even IoT devices like IP cameras.
In the screenshot above, a SOCKS5 proxy solution called SocksEscort is used to find matching IP of the credit card holder’s address. Hear a detailed description of residential proxy networks and tools like SocksEscort in season two, episode four of the Cybersecurity Sessions podcast.
Security systems also use device fingerprints to tell fraudsters from real customers. Fingerprints are made up of signals like operating system, browser, cookies, web history and language settings. But criminals can easily spoof these configurations, making their connections appear normal.
Coming up in part four: Preventing card fraud
In our final installment, we’ll discuss how knowledge of these carding tactics is the first step to protecting ourselves from falling prey to criminals and provide a protection checklist for businesses to plan and audit their defenses.